Closed Bug 1959603 Opened 1 year ago Closed 1 year ago

Show correct Content-Security-Policy hash in the error message about a missing hash

Categories

(Core :: DOM: Security, enhancement)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
firefox140 --- fixed

People

(Reporter: Honza, Assigned: tschuster)

References

(Blocks 2 open bugs, Regressed 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1959603 - Improve the CSP error messages for inline style/script to include the SHA256 hash. r?freddyb
48 bytes, text/x-phabricator-request
Details | Review

Originally reported here:
https://connect.mozilla.org/t5/ideas/show-correct-content-security-policy-hash-in-the-error-message/idi-p/92817

You can use hashes to confirm the integrity of inline <script>s by adding them to the Content Security Policy (CSP) header of the page. If the CSP header is used but a script is not allowed, because the hash is missing (or wrong), an error message is shown in the dev tools' console. In Firefox it looks like this:

Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: "script-src 'self' 'sha256-N0WgDOqcdfL9w1uP613+B2yu6dpc5KPYLXeb9XHepPc=' https://*.googletagmanager.com "

It's hard to find out the correct hash for an inline script. The easiest way at the moment is to use Google Chrome, as it has a better error message:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-N0WgDOqcdfL9w1uP613+B2yu6dpc5KPYLXeb9XHepPc=' https://*.googletagmanager.com ". Either the 'unsafe-inline' keyword, a hash ('sha256-ofImKSSljLzXLojBYDvShM2hWb1UdlR0IiXtVV6UO34='), or a nonce ('nonce-...') is required to enable inline execution.

I suggest to improve Firefox's error message and display the hash that would be correct.

the string comes from https://searchfox.org/mozilla-central/rev/601256c3cc6f397b018995810fd3f586570f50ee/dom/locales/en-US/chrome/security/csp.properties#19

CSPInlineScriptViolation = The page’s settings blocked an inline script (%2$S) from being executed because it violates the following directive: “%1$S”

I know we have (had?) bugs to improve those, Tom, does that ring a bell?

Flags: needinfo?(tschuster)

I guess this is a duplicate of bug 1562908. This bug is a lot more detailed though.

Providing a hash for an inline script should be doable, I will have a quick look later. However for external scripts it might be too late to generate a hash (with our current setup) when reporting the error.

Blocks: csp-console-logging
Flags: needinfo?(tschuster)
Flags: needinfo?(tschuster)
Assignee: nobody → tschuster
Flags: needinfo?(tschuster)
Depends on: 1959949
Duplicate of this bug: 1562908

The new messages look like this:

Content-Security-Policy: The page’s settings blocked an event handler (script-src-attr) from being executed because it violates the following directive: “script-src 'none'”. You are missing a hash ('sha256-uRzQWvBfDqDMr0ZqAdxnDzuAbWU0ArkNpz+HTBspO70=') together with 'unsafe-hashes' or 'unsafe-inline'.
Source: foo() test.html

Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src 'self'”. You are missing a hash ('sha256-nqxfeT8mOxIBc/XJhfHEuIyE49jR9048DvDUnqQgtWk=', requires 'unsafe-hashes' for style attributes), a nonce or 'unsafe-inline'.
Source: background-color: green; test.html

Content-Security-Policy: The page’s settings blocked an inline style (style-src-elem) from being applied because it violates the following directive: “style-src 'self'”. You are missing a hash ('sha256-VSgsGCBrm+uZmPXqoVuFyTiEY5ZWeK9SCeLMOj/1uUc=', requires 'unsafe-hashes' for style attributes), a nonce or 'unsafe-inline'. test.html:6:1

Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'none'”. You are missing a hash ('sha256-pZGm1Av0IEBKARczz7exkNYsZb8LzaMrV7J32a2fFG4='), a nonce or 'unsafe-inline'. test.html:7:11

Component: Console → DOM: Security
Product: DevTools → Core
Severity: -- → N/A
Whiteboard: [domsecurity-active]
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fbbe7ac0dde7 Improve the CSP error messages for inline style/script to include the SHA256 hash. r=simonf,devtools-reviewers,nchevobbe

Backed out for causing mochitest failures browser_webconsole_csp_violation.js

  • Backout link
  • Push with failures
  • Failure Log
  • Failure line: TEST-UNEXPECTED-FAIL | devtools/client/webconsole/test/browser/browser_webconsole_csp_violation.js | Uncaught exception in test bound - [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIStringBundle.formatStringFromName]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://mochitests/content/browser/devtools/client/webconsole/test/browser/browser_webconsole_csp_violation.js :: <TOP_LEVEL>
Flags: needinfo?(tschuster)
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/825f77c21edc Improve the CSP error messages for inline style/script to include the SHA256 hash. r=simonf,devtools-reviewers,nchevobbe
Flags: needinfo?(tschuster)
Regressions: 1963557

https://hg.mozilla.org/mozilla-central/rev/825f77c21edc

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox140: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 140 Branch
QA Whiteboard: [qa-triage-done-c141/b140]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: